Bug 137870 (IT_57746)

Summary: LAUS does not analyze parameters of fcntl() or flock() system calls
Product: Red Hat Enterprise Linux 3 Reporter: Daniel Berrangé <berrange>
Component: lausAssignee: Peter Martuccelli <peterm>
Status: CLOSED WONTFIX QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: peterm, srevivo, tao, uthomas
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-03 14:59:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2004-11-02 13:56:47 UTC
User-Agent:       
Build Identifier: 

When using LAUS as a debugging / investigative tool, the was a need to audit all
operations on files matching the name /etc/mtab*. In particular, open, link,
fnctl and flock system calls were of great importance. To achieve this a filter
conf was creating looking like 

predicate is-mtab = prefix("/etc/mtab");

set file-open = {
  "open", "fcntl", "flock", "stat", "stat64", "read", "write", "dup", "dup2"
};

tag "FILE_access"
syscall @file-open = is-mtab(arg0);

LAUS was then configured to turn on auditing system wide with 

  echo 1 > /proc/sys/dev/audit/attach-all

While, this successfully captured most system calls requested, it missed off all
occurrances of fcntl() and flock(). At the same time it printed messages in the logs

kernel: Audit daemon registered (process 27009)
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 4 times
kernel: Audit daemon registered (process 27072)
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 30 times
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 173 times
last message repeated 28 times

When the 'fcntl()' and 'flock()' calls were removed from the audit set these
messages go away. Looking in the kernel source for it would appear that these
two system calls do not have their arguments analyzed. 

Reproducible: Always
Steps to Reproduce:
1. Try and filter recording of flock() and fcntl() system calls based on
filename using prefix() function
2.
3.

Actual Results:  
Messages thrown in system logs, no use of flock() and fcntl() recorded

Expected Results:  
flock() and fcntl() recorded as matching the predicates

If LAUS were extended to analyze the arguments of every single system call in
the kernel, it will be much more valueable as a system wide debugging tool

Comment 1 Peter Martuccelli 2004-11-02 16:38:14 UTC
Extending LAuS support to all of the system calls would increase the
functionality of the product so it could be used for system wide
monitoring.  LAuS implemented support for the system calls that were
required for EAL3 certification.  We have added additional system
calls over the last two updates as requested by @Sec and other users
involved in certification.

Moving ahead, we should associated this work with a feature request as
it represents an extension of LAuS's functionality.